hxxp://185[.]196[.]10[.]4/mamonts[.]php

Resubmissions

03/07/2024, 19:28

240703-x6sg3athqq 1

03/07/2024, 18:57

240703-xl721svdld 1

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.196.10.4/mamonts.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645066804317924"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe
Token: SeShutdownPrivilege	1988	chrome.exe
Token: SeCreatePagefilePrivilege	1988	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4172	1988	chrome.exe	81
PID 1988 wrote to memory of 4172	1988	chrome.exe	81
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 1032	1988	chrome.exe	82
PID 1988 wrote to memory of 3884	1988	chrome.exe	83
PID 1988 wrote to memory of 3884	1988	chrome.exe	83
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84
PID 1988 wrote to memory of 4624	1988	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://185.196.10.4/mamonts.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a478ab58,0x7ff8a478ab68,0x7ff8a478ab78
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:2
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4200 --field-trial-handle=1808,i,14291432253695399344,14787281379013756766,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e6ec13c58a0bbc3c8191190158fecf0

SHA1
7583cbb28a1cb3540681d356b25e37ee65e20928

SHA256
7fd904c8c1f78ac34a3f87c8866ab17e3199f2df287d579b2faaec0d8d7abfa1

SHA512
a0274351ed893b02305f1b75726ba718a030c28141e861e7d40cd46721963b5455db986714288e5d41637056ee685f58f3ff8307a4b005dcf218391abcb4aec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
944757a44a395a5085eeab8a7074bb85

SHA1
78defa5f03d54b77da2543099526ec1d0ee0d722

SHA256
f3713b29b41fa94f700abc8acff839c593b047e34b400c4af2575709f6a4e76c

SHA512
b565a959dbbbe579ae0848d81913a8017c7f0164438aefb556ef9590e591b0bbe381a90ee13e2dbb9585b62d5ecbaf8d5aa32281362e17ca094e9e7f900f5f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
176820a70fd5e8a1eaf9f06dae6d199e

SHA1
50bb25afe84f8128a5d6ec55fb0f147f0707e543

SHA256
5c0e7857d77cf68f48dcdf1e992e077450247775c6d800dd5d1cfb7542ece409

SHA512
79ff94715ae194ebbc21b7ceb526b63a3ff190646b777dc615280ff3ee04e7756540e098f1dc677ed7bc34015fa44905f74576f03151ea7b63a02f2075081c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
97683cac1723771990437a04159d03f2

SHA1
382e44121cbacc1e514d1a8ed5a2a3aa306e8cb8

SHA256
0c493bf43df8e7a1b4d54dbf7880a4f7bbe7ad8f3827103c098af643c27dc388

SHA512
ec0c0146643feaab29c776cfb70c671e72f452f4471096545dff18572ca355071bdafa8d0150276e9c2b0d33a4112e7bf2c449bc6497b824a83d3d555d40c2a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
b628dd3eaa895c97967e157ed2b74893

SHA1
ee3b74cdb5b54623c45320b3f2cdd4b275bb0571

SHA256
41e7a2eda4aed3c466a5a98d4aa29728a0245d61fa087eda8ac9130665ed7769

SHA512
b3288a1099d22242be1da6f3a51c7947caaf347a804ad35fcf749b80a926762d7997e0a6cb7f8e2059a29e93fda6850aa6abd22342a778232a4f96bdbd3d56bc

Download Submit